TL;DR: LastPass users are being targeted by a phishing campaign that started around January 19, 2026. Attackers send emails warning of "urgent maintenance" and demanding users backup their vaults within 24 hours. The link leads to a fake login page at mail-lastpass[.]com that steals master passwords. LastPass says it will NEVER ask for your master password or set tight deadlines. Delete these emails. Don't click anything.
The Scam
LastPass's security team flagged an active phishing campaign on January 21, 2026.[1] Attackers are sending convincing emails that impersonate LastPass and create fake urgency.
The emails claim LastPass is performing maintenance and that you need to "backup your vault" within 24 hours or risk losing access. Subject lines include variations like:
- "LastPass Infrastructure Update: Secure Your Vault Now"
- "Your Data, Your Protection: Create a Backup Before Maintenance"
- "Protect Your Passwords: Backup Your Vault (24-Hour Window)"
Click the link, and you land on a fake LastPass login page. Enter your username and master password, and attackers now have the keys to your entire digital life.[2]
Technical Details
The phishing infrastructure uses a redirect chain to avoid detection:[3]
- Victims click the link in the email
- They're redirected through an AWS-hosted page at
group-content-gen2.s3.eu-west-3.amazonaws.com - The redirect sends them to the primary phishing domain:
mail-lastpass[.]com - The fake login page harvests credentials
The domain "mail-lastpass[.]com" is designed to look legitimate at a glance. It's not. The real LastPass domain is lastpass.com, no hyphens, no prefixes.
Why the Timing Works
Security researchers noted that the campaign launched over the MLK Day weekend in the United States (January 18-20, 2026). This wasn't an accident.[4]
Holiday weekends mean:
- IT security teams operating with skeleton crews
- Slower internal reporting of suspicious emails
- Delayed response to user reports
- More people checking personal email from home without corporate security filters
The 24-hour deadline adds pressure. Users panic and click before thinking. Classic social engineering.
Part of a Larger Pattern
This isn't the first password manager phishing campaign in recent months. Security analysts documented similar attacks targeting LastPass, Bitwarden, and 1Password within a three-week span in late 2025.[2]
Password managers are attractive targets for attackers:
- One master password unlocks access to hundreds of accounts
- Users often store banking credentials, email passwords, and crypto keys
- A compromised vault means total account takeover
This campaign is "alarmingly effective" according to security experts because it exploits users' trust in legitimate security notifications.[4]
LastPass's Response
LastPass issued a security advisory on January 21, 2026, with a clear message:[1]
"Please be advised that LastPass is NOT asking customers to backup their vaults in the next 24 hours. We want customers and the broader security community to be aware that LastPass will never ask for their master password or demand immediate action under a tight deadline."
The company says it's working with partners to take down the malicious infrastructure and has shared indicators of compromise (IOCs) with the security community.[1]
How to Spot the Fakes
Red flags that signal phishing:
- Urgency: "24 hours" or "immediate action required" (legitimate services rarely demand instant action)
- Threats: "Your vault will be deleted" (fear-based manipulation)
- Wrong domain: Hover over links. If it's not exactly "lastpass.com," don't click
- Requesting your master password: No legitimate service asks for this via email
- Generic greeting: Real LastPass emails typically use your name
What You Should Do
Delete Suspicious Emails
Got a "backup your vault" email from LastPass? Delete it. Don't click links. Don't forward it. Just delete.
Go Direct
If you're worried about your LastPass account, open a new browser tab, type lastpass.com manually, and log in directly. Never use links from emails.
Check for Breaches
If you clicked a suspicious link and entered credentials, assume compromise. Change your master password immediately and rotate all passwords stored in your vault.
Enable MFA
Multi-factor authentication won't stop credential theft, but it adds a barrier. Use an authenticator app, not SMS.
Report Phishing
Forward phishing emails to [email protected] before deleting. Your report helps them track and disrupt the campaign.
Check Your Vault
Log into LastPass directly and review recent login activity. Look for unfamiliar locations or devices.
Context Matters
This phishing campaign comes on the heels of the 2022 LastPass breach that's still causing damage in 2026. Attackers are still cracking stolen vault backups and draining cryptocurrency wallets years later.
Between the old breach and this new phishing campaign, LastPass users face threats from multiple directions. Stay paranoid.
References
- LastPass Blog - New Phishing Campaign Targeting LastPass Customers (January 2026)
- The Hacker News - LastPass Warns of Fake Maintenance Messages Targeting Users' Master Passwords (January 2026)
- The Register - Don't click the LastPass 'create backup' link (January 2026)
- Infosecurity Magazine - LastPass Warns of Phishing Campaign Attempting to Steal Master Passwords (January 2026)